On March 3, news first broke about the Factoring attack on RSA-EXPORT Keys (FREAK) attack against Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption. Two weeks after that initial disclosure, security firm FireEye has found that both Apple iOS and Google Android apps are still at risk.
FREAK, also identified as CVE-2015-0204, is a cryptographic weakness in export-grade cryptography that can be used for SSL/TLS. FireEye scanned 10,985 Android apps that had 1 million or more downloads and found that 1,228 of them were at risk from FREAK. The story for Apple iOS apps is somewhat better, with only seven apps out of 14,079 apps tested found to be vulnerable to FREAK, so long as the user is running iOS 8.2. Apple released iOS 8.2 on March 9, providing a fix for FREAK at the operating system layer. FireEye found that 771 iOS apps were vulnerable on Apple devices not running IOS 8.2.
SSL/TLS connections rely on cryptographic libraries present on both end-user devices as well as the back-end server.
"We evaluated both client-side OpenSSL implementations and server-side SSL configurations to determine whether the app is vulnerable to FREAK," Tao Wei, senior research scientist at FireEye, told eWEEK.
The risk with FREAK is that it can be leveraged by an attacker in a man-in-the-middle (MiTM) attack, in which the attacker is able to intercept traffic between vulnerable clients and servers. FREAK is a weakness in implementations of SSL/TLS that may allow an attacker to decrypt secure communications, according to Wei.
As to why mobile apps are still at risk from FREAK, Wei said that there are multiple reasons.
"Some developers and their server admins are simply not aware of the severe consequences of this issue, and some servers are hard to upgrade due to compatibility issues with old clients," he said.
While a good number of mobile apps are still vulnerable to FREAK, that has declined over the past two weeks. Wei said that FireEye started to monitor FREAK issues for mobile apps just after the vulnerability was disclosed on March 3. In a blog post, FireEye has provided a graph showing that some apps were, in fact, patched between March 5 and March 10. The data shows that multiple classes of apps, including photo and video, lifestyle, social networking, finance, communication, shopping, business and medial, are at risk.
"In our blog, we show the change of those fixed apps/servers, and the number is starting to decrease," Wei said. "But according to our experience, it will be a long-tail process. That's why we are publishing this research—to make more developers aware of how severe this vulnerability is to them."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.